[Samba] Fwd: Winbind and GPO access restrictions?

Rowland Penny rpenny at samba.org
Mon Oct 4 15:39:18 UTC 2021 

On Mon, 2021-10-04 at 13:10 +0200, Kees van Vloten via samba wrote:
> On 02-10-2021 22:50, Rowland Penny via samba wrote:
> > On Sat, 2021-10-02 at 22:46 +0200, Kees van Vloten wrote:
> > > On 02-10-2021 22:16, Rowland Penny via samba wrote:
> > > > On Sat, 2021-10-02 at 22:05 +0200, Kees van Vloten via samba
> > > > wrote:
> > > > > On 02-10-2021 21:58, Rowland Penny via samba wrote:
> > > > > > On Sat, 2021-10-02 at 21:51 +0200, Kees van Vloten via
> > > > > > samba
> > > > > > wrote:
> > > > > > > I don't know what you have in /etc/sudoers or
> > > > > > > /etc/sudoers.d.
> > > > > > I have already shown that my name is not in /etc/sudoers
> > > > > > and
> > > > > > /etc/sudoers.d/ is virtually empty:
> > > > > > 
> > > > > > rowland at devstation:~$ ls /etc/sudoers.d
> > > > > > README
> > > > > > 
> > > > > > But I can use sudo.
> > > > > > 
> > > > > > Rowland
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > Indeed you did, but you did not show the /etc/sudoers file. I
> > > > > would
> > > > > expect it to contain a line that allows a group you are
> > > > > member of
> > > > > to
> > > > > provide you root access.
> > > > Believe me it doesn't
> > > > 
> > > > 
> > > > 
> > > > > If you want to see sudo-rules that are matching for your user
> > > > > you
> > > > > can
> > > > > do
> > > > > sudo -l from your user.
> > > > Here you are:
> > > > 
> > > > rowland at devstation:~$ sudo -l
> > > > [sudo] password for rowland:
> > > > Matching Defaults entries for rowland on devstation:
> > > >       !env_reset, mail_badpass,
> > > > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bi
> > > > n\:/
> > > > sbin
> > > > \:/bin, env_reset, mail_badpass,
> > > >       secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/
> > > > usr/b
> > > > in\:/
> > > > sbin\:/bin
> > > > 
> > > > User rowland may run the following commands on devstation:
> > > >       (ALL : ALL) ALL
> > > > 
> > > > Would it help if I told you that I do this on all my Unix
> > > > domain
> > > > members and DC's without modifying any sudo files ?
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > > 
> > > The one thing I see here is that there is indeed a sudo-rule that
> > > allows
> > > you full root access given you enter your password.
> > > The output does not show on what basis you get this rule "(ALL :
> > > ALL)
> > > ALL" assigned.
> > > I am certain that I do not see that on my machines when I am not
> > > in
> > > the
> > > group "sudo".
> > > 
> > > The sudo -l output on for my user (which is member of group sudo)
> > > is:
> > > 
> > > kvv at bach:~$ sudo -l
> > > [sudo] wachtwoord voor kvv:
> > > Overeenkomende standaarditems voor kvv op bach:
> > >       env_reset, mail_badpass,
> > > secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\
> > > :/sb
> > > in\:/bin
> > > 
> > > Gebruiker kvv mag de volgende opdrachten uitvoeren op bach:
> > >       (ALL : ALL) ALL
> > > 
> > > When comparing the output, I noticed in yours "matching default
> > > items"
> > > are listed twice. Again no clue how it got there.
> > Yes I noticed that, but it doesn't affect sudo-ldap hint hint
> > 
> > I must log a sudo bug
> > 
> > Rowland
> > 
> > 
> > 
> Hi Rowland,
> 
> Usually you are quick and acurate in your responses, which I really 
> appreciate.
> In the last few messages you are playing hide and seek with me. You
> did 
> not show the crucial part of your configuration (/etc/sudoers) and
> until 
> the last message you did not talk about the fact you are using 
> sudo-ldap. Why is this necessary, are we not here to help each other?
> 
> I have no doubts that there are more ways to solve a problem and all
> of 
> them have their specific pros and cons.
> 
> The reason I am using pam_script is because it provides me with a 
> generic solution for all applications that can work with local 
> authorization groups. One solution for many applications is a big
> time 
> saver. The next reason is that it also works in offline or off-
> network 
> logins, i.e. when ldap/samba-dc is not reachable. Although that
> could 
> probably be overcome with nscd or lscd, again more than one solution
> to 
> get it done.
> 
> Still I am interested to learn how you did the sudo-ldap setup,
> perhaps 
> there are advantages that I overlooked.
> Then again what about other applications authorization groups? I
> used 
> the example of libvirtd but pam_scripts also manages wireshark,
> sshd, 
> kvm, docker, audio,video, dialout, cdrom, floppy, lpadmin, plugdev, 
> bluetooth, netdev, pulse-access, users on my machines?
> 
> - Kees
> 

Yes, I use sudo-ldap with the sudo rules in AD. What I was trying to
point out, was that winbind can do just about everything that the
program I will not mention, can. The big problem was GPO's and David
Mulder is working on closing that hole.

I repeat what I have being saying for a long time, you do not need that
program that I will not mention. If you think you do, then good luck to
you, just do not expect me to help you with it, as I don't use it any
more and haven't for years

Rowland

More information about the samba mailing list